Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    per-Application IP Address / IP Access Control

    Feature Requests
    3
    4
    356
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wind.gmbh last edited by

      By default, a Cloudron App will be served on all Interfaces.
      Therefore, if any Cloudron App is required to be reachable by the public internet, all Cloudron Apps on the host will be reachable by the public internet.

      server {
          listen       443 ssl http2;
          server_name  application.cloudron-host.example.com;
          listen       [::]:443 ssl http2;
      }
      

      It would be great if it was possible to assign a dedicated IP address that an application will exclusively listen on.
      That way, the application could be hidden from the public internet by restricting access to it on a network firewall.

      server {
          listen       10.10.10.10:443 ssl http2;
          server_name  application.cloudron-host.example.com;
          listen       [fdea:dbee::f]:443 ssl http2;
      }
      

      Another way of achieving a similar goal on a single IP address/ all interfaces would be IP access control lists in the reverse proxy:

      server {
          listen 443 ssl http2;
          server_name application.cloudron-host.example.com;
          listen [::]:443 ssl http2;
          allow 192.168.1.0/24; # Allowed Access
          deny all;
      }
      

      I know that this is probably a lot more work to implement in the front end, than in these quick examples.
      But anyway, these features are probably something that possibly other users would appreciate.

      girish 1 Reply Last reply Reply Quote 3
      • girish
        girish Staff @wind.gmbh last edited by girish

        @wind-gmbh Is the use case here that the server has multiple interfaces and one is public internet and another is private internet ? In that case, you want to configure the app(s) to listen only on the private internet interface? Did I get the use case right?

        FWIW, I prefer the first config more then the second one i.e just restrict listening on the interface only in the first place.

        W 1 Reply Last reply Reply Quote 0
        • W
          wind.gmbh @girish last edited by

          @girish said in per-Application IP Address / IP Access Control:

          @wind-gmbh Is the use case here that the server has multiple interfaces and one is public internet and another is private internet ?

          Yes, exactly. It is basically the idea to limit the attack surface in a single-server scenario by excluding some apps from the public eye.

          @girish said in per-Application IP Address / IP Access Control:

          FWIW, I prefer the first config more then the second one i.e just restrict listening on the interface only in the first place.

          I would say either has it's advantages:

          listen on IP allow / deny
          Network Layer Layer 3/4 (TCP/IP) Layer 7 (HTTP)
          Works with single IP no yes
          Network segmentation / Firewall required yes no
          Visible Access Barrier Not routed / dropped by Firewall HTTP 403
          Cloudron needs to keep track of assigned IP addresses yes no

          They are differently working solutions for the same basic problem, that apply to different scenarios.

          1 Reply Last reply Reply Quote 2
          • Referenced by  W wind.gmbh 
          • Referenced by  W wind.gmbh 
          • Referenced by  W wind.gmbh 
          • D
            dylightful last edited by

            I second this request, however, is slightly different to the private interface your referencing @girish

            x1 server, 5 public interfaces (eth0-5) all with public static IP's.

            In my scenario, a client would be assigned a single static IP for all their applications. I'm doing this currently by spinning up an individual VPS on Runcloud for their apps. The main advantage for them is RDNS for their 'assigned' IP address.

            Just my 2cents

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Powered by NodeBB